Alexmelanfromringo

**Name of the Vulnerable Software and Affected Versions** AnythingLLM versions prior to 1.13.0 **Description** The filesystem-search-files agent skill passes an LLM-controlled `pattern` parameter to ripgrep as a positional argument without a -- end-of-options separator. Because ripgrep parses any argument starting with - as an option, a `pattern` such as --pre=/bin/sh allows ripgrep to act as a script executor, running /bin/sh <file> for every file processed. An attacker capable of chatting with an agent on a deployment where the filesystem plugin is enabled can combine this with the filesystem-write-text-file skill to execute arbitrary commands within the server container. **Recommendations** Update to version 1.13.0. As a temporary mitigation, disable the filesystem plugin or restrict the use of the filesystem-search-files agent skill.